CVE-2023-31843
Description
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL Injection via /eval/admin/view_faculty.php?id=.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in Sourcecodester Faculty Evaluation System v1.0's admin panel allows authenticated attackers to extract database contents via the id parameter in view_faculty.php.
Vulnerability
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to SQL injection in the /eval/admin/view_faculty.php endpoint. The id parameter is directly concatenated into an SQL query without sanitization, allowing an attacker to inject arbitrary SQL statements [1].
Exploitation
An attacker with valid admin credentials (e.g., admin@admin.com / admin123) can exploit the vulnerability by sending a GET request to /eval/admin/view_faculty.php?id= with a crafted payload. For example, the payload -1 union select 1,2,3,4,database(),6,7,8,9--+ extracts the database name (evaluation_db) in the response [1]. No additional user interaction is required.
Impact
Successful exploitation allows the attacker to retrieve arbitrary data from the database, including user credentials and other sensitive information. The UNION-based injection enables extraction of multiple columns, leading to full information disclosure [1].
Mitigation
No official patch has been released by the vendor as of the publication date. The application should be updated to use parameterized queries or prepared statements to prevent SQL injection. Input validation on the id parameter is also recommended [1].
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Sourcecodester/Faculty Evaluation Systemdescription
- Range: =1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.